Further Credentials Theft

We will list some advanced methods to recover credentials:

Cmdkey Saved Credentials

The cmdkey command can be used to create, list, and delete stored usernames and passwords

To see if some credentiasls have been saved:

> cmdkey /list

    Target: LegacyGeneric:target=TERMSRV/SQL01
    Type: Generic
    User: inlanefreight\bob

We can't read the password but when we attempt to RDP to the target SQL01 the saved credentials will be used:

We can also use runas:

Web Browser Credentials

Retrieve cookies & login forms from Google Chrome:

KeePass Password Manager

KeePass is a password manager stored locally on the host. The database file ends with .kdbx

We can:

  1. Transfer the .kdbx to our attacking machine

  2. Use a tool such as keepass2john to extract the password hash

  3. Crack the password with Hashcat or John the Ripper

Extract the hash

Crack the hash

Microsoft Exchange E-Mails

We use the tool MailSniper to look for credentials in microsoft exchange e-mails.

Lazagne.exe

LaZagne looks for credentials in various places:

To run a full search with all modules:

Session Gopher

We can use SessionGopher to extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials.

Clear-Text Passwords in Registry

Certain programs and windows configurations can result in clear-text passwords or other data being stored in the registry.

Windows AutoLogon

Windows Autologon is used to configure their Windows operating system to automatically log on to a specific user account without requiring manual input of credentials.

The username and passwords are stored in clear in the registry at:

It has 3 values usually:

  • AdminAutoLogon - "0" for off "1" for on

  • DefaultUserName

  • DefaultPassword

We read the values with:

Instead it is recommend to use Autologon.exe from the Sysinternals suite, which will encrypt the password as an LSA secret.

Putty

For Putty sessions utilizing a proxy connection, when the session is saved, the credentials of the proxy are stored in the registry in clear text.

Registry key access is tied to the user who saved the PuTTY session; it's in HKEY_CURRENT_USER. With admin privileges, you can find it in the corresponding user's hive in HKEY_USERS.

First we enum the sessions:

We can check the credentials of the session we found:

Wifi Passwords

List wifi connected to recently:

Depending on the network configuration, we can retrieve the pre-shared key (Key Content below) and potentially access the target network:

PreviousCredentials HuntingNext5 - Additional Techniques

Last updated